Enterprise IAM
Keep identity durable, authority workspace-scoped, and IAM posture understandable in enterprise review.
Use this page when
Read this page when a buyer or operator asks how OSuite separates identity from authority.
What this page explains
Accounts identify people or service principals. Workspaces decide what those actors can do. That split keeps authority durable across SSO changes, provider changes, and membership churn.
Role model
| Layer | Example roles | Why it exists |
|---|---|---|
| Platform | platform super admin, support-readonly | keeps host operations separate from customer tenancy |
| Workspace | owner, admin, security admin, member | controls approvals, exports, runtime posture, and governance inside the tenant |
| Delegated actor | trusted agent, automation identity, partner bridge | allows bounded machine action without collapsing human ownership |
Questions buyers will ask
- Which identity providers are configured?
- Is SSO active or partial?
- Is JIT provisioning or group sync ready?
- Which roles can approve, export, or change plugin posture?
What success looks like
IAM is legible when a reviewer can see who the actor is, what workspace they belong to, and what authority still requires a named human approver.